This document sets out Europe Incoming’s policy on the protection of information you disclose to us. Protecting the confidentiality and integrity of personal data is a critical responsibility that we take seriously at all times. Europe Incoming will ensure that data is processed in accordance with the provisions of the General Data Protection Regulation (EU) 2016/679 (GDPR).

Europe Incoming requires you to provide contact details of the people you wish to be authorised users of our services in order for us to fulfil our contract with you. In addition, it may be necessary for you to disclose personal data (including Child data or ‘special category’ data, eg. allergies, disabilities) about your clients/customers as part of our delivery of travel services.

Fair Processing of Data

In processing the personal data, the following principles will be adhered to. Personal data will be:

Used lawfully, fairly and in a transparent way

Collected only for valid purposes that are clearly explained and not used in any way that is incompatible with those purposes

Relevant to specific purposes and limited only to those purposes

Accurate and kept up to date

Kept only as long as necessary for the specified purposes

Kept securely

Personal information (including special category data) will only be processed when there is a lawful basis for doing so and only on your instructions.

No personal data provided to us will be the subject of automated decision making.

The specific lawful basis on which we process information you give us is for the performance of contract to deliver travel services to your client.

Lawful Processing of Data

It is your responsibility as Data Controller to advise your clients/customers that their data may be transferred to third party processors such as Europe Incoming Limited and seek any necessary consent in respect of that processing.

Please be aware that we will add the personal data of authorised users to our mailing list so we can send updates on the services provided, newsletters and invitations to events by phone, letter or email. This is part of our contractual commitment to ensure that your authorised users are kept up to date with the services we provide for your clients. We also believe we have a legitimate interest in contacting you for this purpose.

If any authorised user wishes to stop receiving such information from us they can ‘opt out’ of the newsletter or ask us to remove their details from our mailing list by contacting us on sales@europeincoming.de

Collection and Retention of Data

Europe Incoming Limited will collect personal information about authorised users at the beginning of our relationship and information about your clients as and when you transmit this information to us for booking travel services.

We will retain that data when it is necessary to do so and only for as long as required to fulfil the purpose/s it was collected for, including the purposes of satisfying any legal, accounting, or reporting requirements.

When determining the retention period for personal data, Europe Incoming will consider various factors such as the nature, sensitivity of the personal data, potential risk from harm of unauthorised use or disclosure and the purposes for which the personal data is processed.

On termination of our contract with you, you may request that we delete personal data or return it to you. We will do so without delay unless there is a lawful basis for us to continue to process it. In this instance, we will securely destroy personal data after the relevant data retention period has expired.

Data Security and sharing

Europe Incoming has in place appropriate security measures to prevent personal information from being accidentally lost, use or accessed in an unauthorised way.

An IPS perimeter firewall protects against network based attacks from the internet.

All internal networks separate and restricted using VLANs.

Software based firewalls provide additional security on local servers.

All user and administrative passwords are subject to a policy which require complexity and frequent changing.

Anti-Virus software is updated daily.

Software and Operating Systems are updated regularly.

Data is Backed up multiple times a day and is encrypted at storage and sent to an offsite location.

Physical access to the hardware is restricted and requires pre-approved authorization.

Access to personal data of your authorised users and clients/customers is limited to those employees and contractors who have a business need to know. They will only process information on our instructions and are subject to a duty of confidentiality.

We will share personal data with third parties where it is necessary to deliver our travel services and where we have your general or express authority to do so, unless we are required by law to share the data without your authority.

Where we share data with a third party sub-processor we will contractually require the sub-processor to respect the security of the data subject (your client) and to treat it in accordance with the law. Examples of third parties we may share personal data you transmit to us are:

Globetrack

Systems It

Sage /Sage Pay

Contact details of your authorised users (not clients/customers) may also be sent to a digital marketing company for the limited purpose of administering our mailing lists and no other purpose.

Where there is a significant change to a sub-processor, we will inform you and allow you to object before we share personal data.

Your Rights and Obligations

Europe Incoming will conduct regular reviews of the information we hold to ensure its relevancy. You are under a duty to inform us of any changes to lists of authorised users. If you have concerns about the accuracy of personal data we hold please contact us immediately on Gdpr@europeincoming.com

You should also contact us if any data subject (authorised users, clients, customers) indicates that they want to exercise their rights in respect of personal data we hold, including the rights to:

Request access to personal information

Request erasure to personal information

Object to processing of personal information

Request the restriction of processing of personal information

Request the transfer of personal information to another party

Depending on the nature of the request, Europe Incoming may have grounds for refusing to comply with a request. In this case, we will provide an explanation promptly.

If we receive any direct request to exercise rights in respect of personal data we process on your behalf, we will notify you as Data Controller before responding.

Our Rights and obligations

Europe Incoming undertakes to assist you in meeting your obligations under GDPR in relation to the security of processing, notification of data breaches and data impact assessments. We have procedures in place to deal with any data security breach and will notify you as soon as reasonably practicable. Where legally required to do so, we will notify the applicable data regulator, in the UK, this is the Information Commissioners Office (ICO).

We will assist you in providing data subject access requests and allowing data subjects to exercise their rights in respect of the personal date we hold. Where necessary, this assistance extends to submitting to audits and inspections and providing information you require to satisfy your obligations. We undertake to tell you if we are asked to do anything which would infringe data protection legislation.

Europe Incoming will adhere to he principles of this policy and relevant legislation when designing or implementing new systems or processes.

If you have any further questions please contact us on Gdpr@europeincoming.com